Sovy News & Blog

Marriott Faces over £99m GDPR Fine

Marriott International (Marriott) faces a £99m fine or more for a data breach that took place in 2014 at the Starwood hotels group due to poor security practices.

Marriott acquired Starwood in 2016 and, according to the UK Information Commissioner’s Office (ICO), did not undertake sufficient due diligence during the acquisition of the group. Further, the breach was not reported to the ICO until November 2018.

The exposure of customer information included well over 300 million guest records and the personal details of 30 million guests related to residents of 31 European Economic Area (EEA) countries and approximately 7 million related to UK residents. The ICO announced the intent to fine Marriott on Tuesday 9 July.

It is the second large penalty announced this week by the ICO. Marriott joins British Airways as the ICO continues its investigations into GDPR incidents reported to its office. Both Marriott and British Airways possible fines far surpass the previous record of €50 million that France’s CNIL issued to Google for failing to appropriately disclose its data collection practices.

The ICO Statement

Information Commissioner Elizabeth Denham continued her blunt statements about organisations’ responsibilities to protect personal details and the consequences of not doing so:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

As the Information Commissioner explained, companies have an obligation to protect their customer’s data. ‘The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

The delay in detecting, analysing and reporting the data breach no doubt contributed to the ICO’s decision to fine Marriott.

Under the GDPR, companies are mandated to protect any data that customers entrust to them. Marriott’s data protection programme and due-diligence during the acquisition failed to meet acceptable security and data protection practices.

How to avoid GDPR fines

Avoiding fines from the ICO or other governing bodies sounds intimidating. But there are a few simple steps you can take to protect your customer’s data, and yourself from fines.

1.Know your data

What types of personal data do you collect and store?

How many people are you collecting data from?

Are there any “special categories” of data involved?

Do you transfer them out of the EEA?

All these questions help comprise the risk associated with customer data. The higher the risk you impose on customers, the greater the security you will need to provide in order to satisfy a Data Protection Authority if something goes wrong or if you get audited.

2.Know your security

If you experience a data breach, you must report it. And if, under inspection, your security software isn’t up-to-date, or if you don’t use simple tools like anti-malware software, firewalls, and SSL certificates around your web forms, then you’ll probably be liable for a fine.

The same goes for access controls – if you give everyone in your company access to customers’ personal data, regardless of whether they need it for their job, you’ll be setting yourself up for a fine.

3.Get audit-ready

You need to be prepared for an audit or investigation if a data breach does happen. That means having the appropriate policies and procedures in place well before the breach occurs.

Some policies and procedures include a data breach response protocol, a broad data protection policy, and training courses around cybersecurity and data protection for any employees that have access to personal data.

Finally, make sure you document your personal data in a personal data inventory, describing the types of data your company collects, where it’s stored, how long it’s kept, who has access to it, how it’s deleted, and to whom it’s transferred.

Need help?

Sovy’s GDPR Essentials can help you with each of the steps laid out above:

Walk through a data mapping exercise and build your data inventory.

Build all the policies you need under the GDPR, including a privacy policy, data protection policy, and data breach response forms.

Train your employees with industry-standard eLearning courses.

Track document access and history to ensure transparency in the event of an audit.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: